Merge "networking-guide: Flesh out introduction to network namespaces"
This commit is contained in:
Jenkins
Gerrit Code Review
commit
dc800a82a0
@ -2,21 +2,51 @@
|
||||
Network namespaces
|
||||
==================
|
||||
|
||||
A namespace is a container for a set of identifiers. Namespaces provide a level
|
||||
of direction to specific identifiers and make it possible to differentiate
|
||||
between identifiers with the same exact name. With network namespaces, you can
|
||||
have different and separate instances of network interfaces and routing tables
|
||||
that operate independently of each other.
|
||||
A namespace is a way of scoping a particular set of identifiers. Using a
|
||||
namespace, you can use the same identifier multiple times in different
|
||||
namespaces. You can also restrict an identifier set visible to particular
|
||||
processes.
|
||||
|
||||
For example, Linux provides namespaces for networking and processes, among
|
||||
other things. If a process is running within a process namespace, it can only
|
||||
see and communicate with other processes in the same namespace. So, if a shell
|
||||
in a particular process namespace ran :command:`ps waux`, it would only show
|
||||
the other processes in the same namespace.
|
||||
|
||||
Linux network namespaces
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
In a network namespace, the scoped 'identifiers' are network devices; so a
|
||||
given network device, such as ``eth0``, exists in a particular namespace.
|
||||
Linux starts up with a default network namespace, so if your operating system
|
||||
does not do anything special, that is where all the network devices will be
|
||||
located. But it is also possible to create further non-default namespaces, and
|
||||
create new devices in those namespaces, or to move an existing device from one
|
||||
namespace to another.
|
||||
|
||||
Each network namespace also has its own routing table, and in fact this is the
|
||||
main reason for namespaces to exist. A routing table is keyed by destination IP
|
||||
address, so network namespaces are what you need if you want the same
|
||||
destination IP address to mean different things at different times - which is
|
||||
something that OpenStack Networking requires for its feature of providing
|
||||
overlapping IP addresses in different virtual networks.
|
||||
|
||||
Each network namespace also has its own set of iptables (for both IPv4 and
|
||||
IPv6). So, you can apply different security to flows with the same IP
|
||||
addressing in different namespaces, as well as different routing.
|
||||
|
||||
Any given Linux process runs in a particular network namespace. By default this
|
||||
is inherited from its parent process, but a process with the right capabilities
|
||||
can switch itself into a different namespace; in practice this is mostly done
|
||||
using the :command:`ip netns exec NETNS COMMAND...` invocation, which starts
|
||||
``COMMAND`` running in the namespace named ``NETNS``. Suppose such a process
|
||||
sends out a message to IP address A.B.C.D, the effect of the namespace is that
|
||||
A.B.C.D will be looked up in that namespace's routing table, and that will
|
||||
determine the network device that the message is transmitted through.
|
||||
|
||||
Virtual routing and forwarding (VRF)
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Virtual routing and forwarding is an IP technology that allows multiple
|
||||
instances of a routing table to coexist on the same router at the same time.
|
||||
|
||||
Linux network namespaces
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Linux network namespaces provide isolation of the system resources associated
|
||||
with networking. Each network namespace has its own network devices, IP
|
||||
addresses, IP routing tables, iptables, and /proc/net directory.
|
||||
It is another name for the network namespace functionality described above.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user